[arch-commits] Commit in perl/trunk (PKGBUILD digest_eval_hole.diff)

Florian Pritz bluewind at archlinux.org
Wed Jan 18 17:05:16 UTC 2012


    Date: Wednesday, January 18, 2012 @ 12:05:15
  Author: bluewind
Revision: 146805

upgpkg: perl 5.14.2-7

fix eval hole in Digest

Added:
  perl/trunk/digest_eval_hole.diff
Modified:
  perl/trunk/PKGBUILD

-----------------------+
 PKGBUILD              |    6 +++-
 digest_eval_hole.diff |   61 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 1 deletion(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2012-01-18 16:24:18 UTC (rev 146804)
+++ PKGBUILD	2012-01-18 17:05:15 UTC (rev 146805)
@@ -5,7 +5,7 @@
 # Contributor: francois <francois.archlinux.org> 
 pkgname=perl
 pkgver=5.14.2
-pkgrel=6
+pkgrel=7
 pkgdesc="A highly capable, feature-rich programming language"
 arch=(i686 x86_64)
 license=('GPL' 'PerlArtistic')
@@ -17,6 +17,7 @@
 perlbin.sh
 perlbin.csh
 provides.pl
+digest_eval_hole.diff
 0001-Append-CFLAGS-and-LDFLAGS-to-their-Config.pm-counter.patch)
 install=perl.install
 options=('makeflags' '!purge')
@@ -24,6 +25,7 @@
          '5ed2542fdb9a60682f215bd33701e61a'
          '1f0cbbee783e8a6d32f01be5118e0d5e'
          '31fc0b5bb4935414394c5cfbec2cb8e5'
+         '490852b3d77c3b3866d0d75f5fbf5c5d'
          'c25d86206d649046538c3daab7874564')
 
 build() {
@@ -37,6 +39,8 @@
     arch_opts=""
   fi
 
+  patch -Np1 -i $srcdir/digest_eval_hole.diff
+
   ./Configure -des -Dusethreads -Duseshrplib -Doptimize="${CFLAGS}" \
     -Dprefix=/usr -Dinstallprefix=${pkgdir}/usr -Dvendorprefix=/usr \
     -Dprivlib=/usr/share/perl5/core_perl \

Added: digest_eval_hole.diff
===================================================================
--- digest_eval_hole.diff	                        (rev 0)
+++ digest_eval_hole.diff	2012-01-18 17:05:15 UTC (rev 146805)
@@ -0,0 +1,61 @@
+From 4b6a7324284e7435a361c58f7ddb32fc0c635bd0 Mon Sep 17 00:00:00 2001
+From: "Michael G. Schwern" <schwern at pobox.com>
+Date: Mon, 3 Oct 2011 19:05:29 +0100
+Subject: Close the eval "require $module" security hole in
+ Digest->new($algorithm)
+
+Also the filter was incomplete.
+
+Bug-Debian: http://bugs.debian.org/644108
+
+Patch-Name: fixes/digest_eval_hole.diff
+---
+ cpan/Digest/Digest.pm    |    6 ++++--
+ cpan/Digest/t/security.t |   14 ++++++++++++++
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+ create mode 100644 cpan/Digest/t/security.t
+
+diff --git a/cpan/Digest/Digest.pm b/cpan/Digest/Digest.pm
+index 384dfc8..d714434 100644
+--- a/cpan/Digest/Digest.pm
++++ b/cpan/Digest/Digest.pm
+@@ -24,7 +24,7 @@ sub new
+     shift;  # class ignored
+     my $algorithm = shift;
+     my $impl = $MMAP{$algorithm} || do {
+-	$algorithm =~ s/\W+//;
++	$algorithm =~ s/\W+//g;
+ 	"Digest::$algorithm";
+     };
+     $impl = [$impl] unless ref($impl);
+@@ -35,7 +35,9 @@ sub new
+ 	($class, @args) = @$class if ref($class);
+ 	no strict 'refs';
+ 	unless (exists ${"$class\::"}{"VERSION"}) {
+-	    eval "require $class";
++	    my $pm_file = $class . ".pm";
++	    $pm_file =~ s{::}{/}g;
++	    eval { require $pm_file };
+ 	    if ($@) {
+ 		$err ||= $@;
+ 		next;
+diff --git a/cpan/Digest/t/security.t b/cpan/Digest/t/security.t
+new file mode 100644
+index 0000000..5cba122
+--- /dev/null
++++ b/cpan/Digest/t/security.t
+@@ -0,0 +1,14 @@
++#!/usr/bin/env perl
++
++# Digest->new() had an exploitable eval
++
++use strict;
++use warnings;
++
++use Test::More tests => 1;
++
++use Digest;
++
++$LOL::PWNED = 0;
++eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) };
++is $LOL::PWNED, 0;




More information about the arch-commits mailing list